Life is unpredictable. Catastrophes can and do happen. Fires, floods, bombs, lawsuits: businesses get insurance to protect themselves when things, inevitably, go wrong.
But few companies have cyber-security insurance despite the pervasive concern about identity theft and information security exposures.
According to the 2005 CSI/FBI Computer Crime and Security Survey, only 25 per cent use insurance to manage cyber-security risks, although the vast majority of respondents experienced breaches, with average losses of $204,000. Why the low uptake to help manage an area many senior executives say is a top priority?
“It’s a matter of getting the right price for cyber-security insurance. It comes down to economics. But this is a tough product for insurance companies,” said Lawrence A. Gordon, co-author of the survey and professor of information assurance at the University of Maryland.
A chicken-and-egg problem is at the core.
The percentage of organizations reporting computer intrusions to law enforcement continues its multi-year decline, driven by fears of market backlash. But insurance companies need this fundamental information to discern patterns in cyber-crime and develop the actuarial databases that form the basis of insurance risk assessment and pricing.
Despite the under-reporting problem, some major insurance companies started offering cyber-security insurance around 1999. But other issues are inhibiting uptake. Mass-market awareness of security risks has only recently percolated beyond regulated high-risk sectors like financial institutions and healthcare. And many companies are facing sharply increased costs for traditional “mandatory” insurance products such as property and casualty, leaving them with little budget to cover other risks.
There are also internal reporting and communication breakdowns at many companies, according to Robert Parisi, technology and telecommunications practice leader at Marsh Inc., a New York-based insurance brokerage. “If the technology side of the house is not reporting to the treasury or risk management side how often these security incidents happen, the guys whose business it is to buy insurance may not know the risk because no one tells them,” he said.
From the insurance carrier’s perspective, under-reporting increases the risk of adverse selection and poses a moral hazard. In insurance parlance, adverse selection refers to the problem that arises when the party seeking insurance has private information not available to the insurance company.
A person who is ill, for example, is more likely to seek insurance than a healthy one, and has an incentive to hide his condition. Moral hazard refers to the lack of incentives to the insured party to take actions that reduce the probability of loss after insurance is provided. Flood insurance, for example, can increase the likelihood of houses being built in high-risk areas like New Orleans.